b'      Evaluation Report\n\n\n\n\nOIG-CA-09-007\nINFORMATION TECHNOLOGY: Treasury\xe2\x80\x99s Federal Desktop\nCore Configuration Deviation Tracking Process Is\nInadequate\nFebruary 19, 2009\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0cContents\n\n\nEvaluation Report........................................................................................... 3\n\n    Results in Brief .............................................................................................. 3\n\n    Background .................................................................................................. 4\n\n    Finding and Recommendations\xe2\x80\xa6. .................................................................... 7\n\n        OCIO\xe2\x80\x99s FDCC Deviations Tracking Is Inadequate ........................................... 7\n        Recommendations..................................................................................... 8\n\n        OCIO\xe2\x80\x99s FDCC Deviations Tracking Policies Are Inconsistent ........................... 8\n        Recommendation ...................................................................................... 9\n\n\n    Appendices\n\n    Appendix     1:      Objective, Scope, and Methodology ........................................ 12\n    Appendix     2:      Management Response .......................................................... 13\n    Appendix     3:      Major Contributors ................................................................15\n    Appendix     4:      Report Distribution ............................................................... 16\n\n\n\n\n                       Treasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking                    Page 1\n                       Process Is Inadequate (OIG-CA-07-009)\n\x0cAbbreviations\n\n\nCIO              chief information officer\nFDCC             Federal Desktop Core Configuration\nIT               information technology\nNIST             National Institute of Standards and Technology\nOCIO             Treasury Office of the Chief Information Officer\nOMB              Office of Management and Budget\nPOA&M            plan of action and milestones\nTCIO             Treasury Chief Information Officer\nTTB              Alcohol and Tobacco Tax and Trade Bureau\n\n\n\n\n            Treasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking   Page 2\n            Process Is Inadequate (OIG-CA-07-009)\n\x0c                                                                                       Evaluation\nOIG\nThe Department of the Treasury\n                                                                                         Report\nOffice of Inspector General\n\n\n\n\n                      Michael D. Duffy\n                      Deputy Assistant Secretary for Information Systems\n                         and Chief Information Officer\n                      Department of the Treasury\n\n                      We recently completed the evaluation of the Department of the\n                      Treasury\xe2\x80\x99s Alcohol and Tobacco Tax and Trade Bureau (TTB) to\n                      determine whether sufficient protections exist to prevent intrusions\n                      into TTB\xe2\x80\x99s network and systems. 1 We also examined TTB\xe2\x80\x99s\n                      compliance with the requirement to implement the National\n                      Institute of Standards and Technology (NIST) Federal Desktop Core\n                      Configuration (FDCC). 2 During our evaluation, several matters\n                      relating to the Treasury Office of the Chief Information Officer\xe2\x80\x99s\n                      (OCIO) policies and procedures for tracking FDCC deviations came\n                      to our attention. We are issuing this report to address these\n                      matters.\n\n                      We performed our fieldwork at TTB from January through July\n                      2008. We performed subsequent follow-up work with OCIO\n                      through January 2009. Appendix 1 contains a detailed description\n                      of our objective, scope, and methodology.\n\n\nResults in Brief\n                      We determined that Treasury\xe2\x80\x99s FDCC deviation tracking policies\n                      and procedures need improvement. Specifically, we noted that\n                      while OCIO tracks the number of deviations reported by the\n                      bureaus on a monthly basis, it does not track or evaluate the\n\n1\n  Information Technology: Network Security at the Alcohol and Tobacco Tax and Trade Bureau Could Be\nImproved, OIG-CA-09-005 (Dec. 18, 2008).\n2\n  Office of Management and Budget Memorandum (OMB) M-07-11, \xe2\x80\x9cImplementation of Commonly\nAccepted Security Configurations for Windows Operating Systems\xe2\x80\x9d (Mar. 22, 2007), required agencies\nto implement common security configurations developed by NIST for Windows Vista and XP operating\nsystems by February 1, 2008.\n                    Treasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking         Page 3\n                    Process Is Inadequate (OIG-CA-07-009)\n\x0c              details associated with each deviation. For instance, OCIO does not\n              keep track of the name of the FDCC setting that will not be\n              implemented, description of the FDCC setting, bureau justification\n              for not implementing the FDCC setting, and estimated remediation\n              date for each deviation. In addition, we found that the Treasury\n              Chief Information Officer\xe2\x80\x99s (TCIO) policies provide inconsistent\n              instructions on tracking security weaknesses.\n\n              Our two overall findings are as follows:\n\n              1. OCIO\xe2\x80\x99s FDCC deviations tracking is inadequate.\n              2. OCIO\xe2\x80\x99s FDCC deviations tracking policies are inconsistent.\n\n              We are making the following three overall recommendations to the\n              Treasury Chief Information Officer (CIO) to address the above\n              issues:\n\n              1. Expand OCIO\xe2\x80\x99s FDCC deviation tracking to include the name of\n                 the FDCC setting that will not be implemented, description of\n                 the FDCC setting, bureau justification for not implementing the\n                 FDCC setting, and estimated remediation date for each\n                 deviation, if applicable.\n              2. Review and evaluate the legitimacy of the deviations reported\n                 by the bureaus.\n              3. Replace or update TCIO M-07-04 and M-08-04 to provide\n                 consistent guidance for tracking FDCC deviations.\n\n              Treasury CIO concurred with our findings and recommendations\n              and provided plans for corrective actions (see appendix 2).\n\nBackground\n              Organized into bureaus and offices, Treasury encompasses a wide\n              range of programs and operations. The Treasury bureaus include\n              TTB, the Bureau of Engraving and Printing, the Bureau of the Public\n              Debt, the Community Development Financial Institutions Fund, the\n              Financial Crimes Enforcement Network, the Financial Management\n              Service, the Internal Revenue Service, the Office of the Comptroller\n              of the Currency, the Office of Inspector General, the Office of\n              Thrift Supervision, the United States Mint, and the Treasury\n              Inspector General for Tax Administration. The Treasury offices are\n              composed of divisions headed by Assistant Secretaries and Under\n             Treasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking   Page 4\n             Process Is Inadequate (OIG-CA-07-009)\n\x0c                      Secretaries who are primarily responsible for policy formulation and\n                      overall management of Treasury. These offices are collectively\n                      known as Departmental Offices.\n\n                      Office of Management and Budget (OMB) Memorandum 07-11,\n                      \xe2\x80\x9cImplementation of Commonly Accepted Security Configurations\n                      for Windows Operating Systems,\xe2\x80\x9d required that agencies\n                      implement common security configurations developed by NIST for\n                      Windows Vista and XP operating systems by February 1, 2008. 3\n                      Common security configurations provide a baseline level of\n                      security, reduce risk from security threats and vulnerabilities, and\n                      save time and resources. They allow agencies to improve system\n                      performance, decrease operating costs, and help ensure public\n                      confidence in the confidentiality, integrity, and availability of\n                      government information. OMB Memorandum 07-18, \xe2\x80\x9cEnsuring New\n                      Acquisitions Include Common Security Configurations,\xe2\x80\x9d requires\n                      new acquisitions to include these configurations and information\n                      technology (IT) providers to certify that their products operate\n                      effectively using these configurations. 4\n\n                      OMB recognizes that some agencies may have difficulty\n                      implementing all the FDCC requirements because of technical\n                      issues. On March 20, 2007, OMB issued a memorandum\n                      instructing agencies to provide documentation to NIST of any\n                      deviations from the FDCC common security baseline and the\n                      rationale for such deviations. 5 Additionally, OMB instructed\n                      agencies to report FDCC compliance through their organization\xe2\x80\x99s\n                      CIO hierarchy. Compliance is expressed in terms of numbers of\n                      compliant versus noncompliant computers. For noncompliant\n                      computers, CIOs must provide a representative sample of Security\n                      Content Automation Protocol\xe2\x80\x93based assessment reports. 6 This\n                      information should be sent to OMB with a copy to NIST, which will\n                      perform trend analysis on all federal data on noncompliant\n                      computers and present findings to OMB.\n\n3\n  OMB M-07-11, \xe2\x80\x9cImplementation of Commonly Accepted Security Configurations for Windows\nOperating Systems\xe2\x80\x9d (Mar. 22, 2007).\n4\n  OMB M-07-18, \xe2\x80\x9cEnsuring New Acquisitions Include Common Security Configurations\xe2\x80\x9d (June 1, 2007).\n5\n  Memorandum from Karen Evans, Administrator, Office of E-Government and Information Technology,\nto Chief Information Officers, \xe2\x80\x9cManaging Security Risk By Using Federal Desktop Core Configuration\xe2\x80\x9d\n(Mar. 22, 2007).\n6\n  The Security Content Automation Protocol is a method for using specific standards to enable\nautomated vulnerability management, measurement, and policy compliance evaluation (e.g., Federal\nInformation Security Management Act compliance).\n                    Treasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking       Page 5\n                    Process Is Inadequate (OIG-CA-07-009)\n\x0c                       The Treasury CIO is responsible for implementing FDCC for\n                       Treasury and reporting compliance to OMB and NIST. OCIO policies\n                       relating common security configurations or FDCC are as follows:\n\n                       \xe2\x80\xa2   TCIO memorandum M-07-01, \xe2\x80\x9cSecurity Configuration and\n                           Vulnerability Management Policy\xe2\x80\x9d (January 30, 2007), requires\n                           Treasury bureaus and offices to use the NIST security\n                           configuration checklists repository. This memorandum was\n                           designed to address the finding in the 2006 Federal Information\n                           Security Management Act report that Treasury lacks agency-\n                           wide configuration management policy.\n\n                       \xe2\x80\xa2   TCIO memorandum M-07-04 requires bureaus to use the OMB-\n                           specified Windows XP and Vista configuration settings as the\n                           basis for deployed standard security configurations. TCIO M-07-\n                           04 also states that any security weaknesses identified during\n                           the development or execution of bureau plans regarding use of\n                           common security configurations should be entered in the plan of\n                           action and milestone (POA&M) 7 process as described in the\n                           TCIO memorandum M-06-01, \xe2\x80\x9cImproving the Department\xe2\x80\x99s\n                           Security Plan of Action and Milestone (POA&M) Process\xe2\x80\x9d\n                           (March 24, 2006).\n\n                       \xe2\x80\xa2   TCIO memorandum M-08-04 states that deviations from the\n                           FDCC baselines for Vista and XP (and other platforms as FDCC\n                           settings are established) are to be considered weaknesses and\n                           tracked for remediation via bureau POA&M process unless a\n                           bureau has documented a business requirement for the\n                           deviation(s) as an element of a modified FDCC baseline\n                           configuration. FDCC settings for Vista and XP are expected to\n                           change over time. A single POA&M entry can address one or\n                           multiple deviations, provided the deviations are broken out\n                           elsewhere to help ensure completeness and so that remediation\n                           can be tracked.\n\n\n\n\n7\n  Agency CIOs, working with other appropriate agency officials, are responsible for developing a\nPOA&M for each program and system for which a weakness was identified. The purpose of a POA&M\nis to help agencies identify, assess, prioritize, and monitor progress of corrective efforts for security\nweaknesses in programs and systems.\n                      Treasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking            Page 6\n                      Process Is Inadequate (OIG-CA-07-009)\n\x0cFindings and Recommendations\n\n\nFinding 1 OCIO\xe2\x80\x99s FDCC Deviations Tracking Process Is Inadequate\n\n               We determined that the OCIO\xe2\x80\x99s FDCC deviations tracking process\n               is inadequate. Even though OCIO tracks the number of deviations\n               reported by the bureaus on a monthly basis, it does not track the\n               details associated with each deviation and the bureaus\xe2\x80\x99 rationale\n               for the deviation. For example, during our review of TTB\xe2\x80\x99s FDCC\n               compliance, we requested that OCIO provide us with a copy of\n               TTB\xe2\x80\x99s deviation submission for April 2008. After reviewing TTB\xe2\x80\x99s\n               submission to OCIO, we were able to verify that TTB had reported\n               11 deviations to OCIO. However, we were unable to verify the\n               details of these deviations because OCIO does not track this\n               information. Specifically, OCIO does not keep track of the FDCC\n               setting name, description, and the justification for the deviated\n               settings. Also, we could not determine whether OCIO was able to\n               evaluate the justification for the deviation or whether the deviation\n               reflected a reasonable business requirement.\n\n               In the March 20, 2007 memorandum to CIOs, OMB instructed\n               agencies to provide documentation to NIST of any deviations from\n               the FDCC common security baseline and the rationale for doing so.\n               Additionally, OMB instructed agencies to report FDCC compliance\n               through their organization\xe2\x80\x99s CIO hierarchy.\xc2\xa0The Treasury CIO is\n               responsible for implementing FDCC for Treasury and reporting\n               compliance to OMB and NIST.\n\n               It is vital to maintain complete records on all FDCC deviations,\n               including deviation details such as the FDCC setting name and\n               description, as well as any bureau rationale for the deviations. If\n               the details of the deviations are not tracked, OCIO may not have an\n               effective method of overseeing and reviewing the legitimacy of the\n               reported deviations. In addition, OCIO cannot draw conclusions\n               based solely on the number of deviations reported by bureaus;\n               additional detail is necessary. Failure to maintain complete\n               information on FDCC deviations could adversely affect the\n               accuracy of Treasury\xe2\x80\x99s FDCC deviations submission to NIST for\n               OMB reporting.\n\n              Treasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking   Page 7\n              Process Is Inadequate (OIG-CA-07-009)\n\x0c               Recommendations\n\n               We recommend that the Treasury CIO\n\n                1. expand FDCC deviation tracking to include the name of the\n                   FDCC setting that will not be implemented, description of the\n                   FDCC setting, bureau justification for not implementing the\n                   FDCC setting, and estimated remediation date for each\n                   deviation, if applicable; and\n                2. review and evaluate the legitimacy of the deviations reported\n                   by the bureaus.\n\nFinding 2 OCIO\xe2\x80\x99s FDDC Deviations Tracking Policies Are Inconsistent\n\n               During our evaluation at TTB, we found that the following two\n               TCIO policies provide inconsistent instructions to the bureaus for\n               tracking security weaknesses:\n\n               \xe2\x80\xa2   TCIO M-07-04, \xe2\x80\x9cImplementation of Common Security\n                   Configurations for IT Systems Using Windows XP or Vista\xe2\x80\x9d\n                   (April 17, 2007)\n\n               \xe2\x80\xa2   TCIO M-08-04, \xe2\x80\x9cAdditional Cyber Security Controls and\n                   Recommended Practices,\xe2\x80\x9d section CVM.11 (June 27, 2008)\n\n               On April 17, 2008, OCIO issued TCIO M-07-04 as its guidance to\n               Treasury bureaus for implementing common security configurations\n               for IT Systems using Windows XP or Vista. Specifically, TCIO M-\n               07-04 also states, \xe2\x80\x9cconsistent with the requirements set forth in\n               OMB memorandums M-O7-11, the bureaus are to use the OMB-\n               specified Windows XP and Vista configuration settings, as the\n               basis for deployed standard security configuration.\xe2\x80\x9d TCIO M-07-04\n               requires that \xe2\x80\x9cany security weaknesses identified during the\n               development or execution of bureau plans regarding use of\n               common security configurations should be entered into the POA&M\n               process as described in the TCIO M-06-01.\xe2\x80\x9d TCIO M-07-04 was\n               issued to implement requirements in OMB-07-11 directing agencies\n               with Windows XP deployed and/or that plan to upgrade to the\n               Vista operating system to adopt the FDCC, also known as\n               commonly accepted security configurations.\n\n              Treasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking   Page 8\n              Process Is Inadequate (OIG-CA-07-009)\n\x0c On June 27, 2008, OCIO issued TCIO memorandum M-08-04,\n stating that \xe2\x80\x9cdeviations from the FDCC baselines for Vista and XP\n (and other platforms as FDCC settings are established) shall be\n considered weaknesses and tracked for remediation via bureau\n POA&M process unless a bureau has documented a business\n requirement for the deviation(s) as an element of a modified FDCC\n baseline configuration.\xe2\x80\x9d\n\n We contacted OCIO about the unclear guidance. According to\n OCIO, bureaus are not required to track an FDCC deviation as a\n security weakness in the POA&M process as long as they have\n documented the rationale for the deviation. However, TCIO M-08-\n 04 does not contain any clause to nullify the policy requirement in\n TCIO M-07-04 that \xe2\x80\x9cany security weaknesses identified during the\n development or execution of bureau plans regarding use of\n common security configurations should be entered into the POA&M\n process.\xe2\x80\x9d\n\n The Treasury CIO is responsible for providing Treasury-wide\n leadership and direction for all areas of information and technology\n management, as well as for oversight of a number of IT programs.\n Among these programs is Cyber Security, whose mission is to\n develop and implement IT security policies and provide policy\n compliance oversight for both unclassified and classified systems\n managed by each of Treasury\xe2\x80\x99s operating bureaus and offices. The\n Treasury CIO has given the Associate CIO for Cyber Security\n responsibility for managing and directing OCIO\xe2\x80\x99s Cyber Security\n program, as well as for ensuring compliance with applicable\n statues, regulations, policies, and guidance.\n\n OCIO policies and guidance on tracking FDCC deviations tracking\n remain unclear and inconsistent and, as a result, subject to\n interpretation. Therefore, confusion may occur and compliance\n with IT security policy may be impossible to effectively enforce.\n\n\n Recommendation\n\n We recommend that Treasury CIO\n\n 3. replace or update TCIO M-07-04 and M-08-04 to provide\n consistent guidance for tracking FDCC deviations.\n\nTreasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking   Page 9\nProcess Is Inadequate (OIG-CA-07-009)\n\x0c Management Response\n\n As noted in appendix 2, OCIO agreed with our findings and\n recommendations, and will be implementing our recommendations\n by May 2009.\n\n OIG Response\n\n We agree that the formal steps OCIO has proposed are responsive\n to the intent of our findings and recommendations.\n\n\n\n\nTreasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking   Page 10\nProcess Is Inadequate (OIG-CA-07-009)\n\x0c                                    ******\n\n If you have any questions, please contact me at (202) 927-5171 or\n Abdirahman Salah, IT Specialist, Office of Information Technology\n Audits, at (202) 927-5763. Major contributors to this report are\n listed in appendix 2.\n\n\n /s/\n\n Tram J. Dang, Director\n Office of Information Technology Audits\n\n\n\n\nTreasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking   Page 11\nProcess Is Inadequate (OIG-CA-07-009)\n\x0c                      Appendix 1\n                      Objective, Scope, and Methodology\n\n\n\n\n                      We recently completed an evaluation to determine whether\n                      sufficient protections exist at the Alcohol and Tobacco Tax and\n                      Trade Bureau (TTB) to prevent intrusions into TTB\xe2\x80\x99s network and\n                      systems. 8 We also examined TTB\xe2\x80\x99s compliance with the\n                      requirement to implement the National Institute of Standards and\n                      Technology Federal Desktop Core Configuration (FDCC). 9 Our\n                      primary objective for this report was to address the matters that\n                      came to our attention during our evaluation at TTB relating to the\n                      Office of Chief Information Officer\xe2\x80\x99s (OCIO) policies and procedures\n                      for tracking FDCC deviations. To accomplish this objective, we\n                      analyzed documents received from TTB and OCIO relating to\n                      FDCC, reviewed Treasury Chief Information Officer policies, and\n                      contacted TTB and OCIO personnel for clarification.\n\n                      We performed our fieldwork at TTB from January through July\n                      2008. We performed subsequent follow-up work with OCIO\n                      through January 2009. Fieldwork was conducted at TTB\n                      headquarters and at OCIO in Washington, D.C.\n\n\n\n\n8\n  Information Technology: Network Security at the Alcohol and Tobacco Tax and Trade Bureau Could Be\nImproved, OIG-CA-09-005 (Dec. 18, 2008).\n9\n  Office of Management and Budget Memorandum (OMB) M-07-11, \xe2\x80\x9cImplementation of Commonly\nAccepted Security Configurations for Windows Operating Systems\xe2\x80\x9d (Mar. 22, 2007), required agencies\nto implement common security configurations developed by NIST for Windows Vista and XP operating\nsystems by February 1, 2008.\n                    Treasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking      Page 12\n                    Process Is Inadequate (OIG-CA-07-009)\n\x0c Appendix 2\n Management Response\n\n\n\n\nTreasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking   Page 13\nProcess Is Inadequate (OIG-CA-07-009)\n\x0c Appendix 2\n Management Response\n\n\n\n\nTreasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking   Page 14\nProcess Is Inadequate (OIG-CA-07-009)\n\x0c Appendix 3\n Major Contributors\n\n Office of Information Technology Audits\n\n Tram J. Dang, Director\n Abdirahman M. Salah, IT Specialist (Lead)\n Gerald J. Steere, IT Specialist\n Jane Lee, IT Specialist\n Larissa Klimpel, IT Specialist\n Shiela S. Michel, Referencer\n\n\n\n\nTreasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking   Page 15\nProcess Is Inadequate (OIG-CA-07-009)\n\x0c Appendix 4\n Report Distribution\n\n Department of the Treasury\n\n     Office of Accounting and Internal Control\n     Office of Strategic Planning and Performance Management\n\n Office of Management and Budget\n\n     Office of Inspector General Budget Examiner\n\n\n\n\nTreasury\xe2\x80\x99s Federal Desktop Core Configuration Deviation Tracking   Page 16\nProcess Is Inadequate (OIG-CA-07-009)\n\x0c'